Category: cybersecurity

Google Glass In the Workplace

Jackson Lewis Logo

WSJ reported on November 22, 2013, Google’s push to move Google Glass, a computerized device with an “optical head-mounted display,” into the mainstream by tapping the prescription eyewear market through VSP Global—a nationwide vision benefits provider and maker of frames and lenses. If the speed and immersion of technology over the past few years had shown us anything, it is that it will not be too long before employees are donning Google Glass on the job, putting yet another twist on technology’s impact on the workplace.

Employers continue to adjust to the influx of personal smartphones in the workplace, many adopting “Bring Your Own Device” (BYOD) strategies and policies. These technologies have no doubt been beneficial to businesses and workplace around the globe. The introduction of Google Glass into the workplace may have similar benefits, but the technology also could amplify many of the same challenges as other personal devices, and create new ones.

For example, employers may experience productivity losses as employees focus on their Glass eye piece and not their managers, co-workers, customers. Likewise, some businesses will need to consider whether Google Glass may contribute to a lack of attention to tasks that can create significant safety risks for workers and customers, such as for employees who drive or use machinery as a regular part of their jobs.

A popular feature of Google Glass is the ability to record audio and video. Smartphones and other devices do this already, but recording with Glass seems so much easier and become potentially less obvious overtime as we get used to seeing folks with the Glass. Of course, recording of activities and conversations in the workplace raise a number of issues. In healthcare, for instance, employees might capture protected health information with their devices, but potentially without the proper protections under HIPAA. Conversations recorded without the consent of the appropriate parties can violate the law in a number of states. Employees with regular access to sensitive financial information could easily capture a wealth of personal data, raising yet another data privacy and security risk.

The capturing of data on the Glass, even if not collected, used or safeguarded improperly, will add to the challenges businesses have to avoid spoliation of data stored in these additional repositories of potentially relevant evidence.

Only time and experience will tell what the impact of Google Glass will be in the workplace. However, as companies continue to adapt to present technologies, they should be keeping an eye on the inevitable presence of such new technologies, and avoid being caught without a strategy for reducing risks and avoidable litigation.

Article by:

Joseph J. Lazzarotti

Of:

Jackson Lewis LLP

California Enacts New Data Privacy Laws

Sheppard Mullin 2012

As part of a flurry of new privacy legislation, California Governor Jerry Brown signed two new data privacy bills into law on September 27, 2013: S.B. 46 amending California’s data security breach notification law and A.B. 370 regarding disclosure of “do not track” and other tracking practices in online privacy policies. Both laws will come into effect on January 1, 2014.

New Triggers for Data Security Breach Notification

California law already imposes a requirement to provide notice to affected customers of unauthorized access to, or disclosure of, personal information in certain circumstances. S.B. 46 adds to the current data security breach notification requirements a new category of data triggering these notification requirements: A user name or email address, in combination with a password or security question and answer that would permit access to an online account.

Where the information subject to a breach only falls under this new category of information, companies may provide a security breach notification in electronic or other form that directs affected customers to promptly change their passwords and security questions or answers, as applicable, or to take other steps appropriate to protect the affected online account and all other online accounts for which the customer uses the same user name or email address and password or security question or answer. In the case of login credentials for an email account provided by the company, the company must not send the security breach notification to the implicated email address, but needs to provide notice by one of the other methods currently provided for by California law, or by clear and conspicuous notice delivered to the affected user online when the user is connected to the online account from an IP address or online location from which the company knows the user ordinarily accesses the account.

Previously, breach notification in California was triggered only by the unauthorized acquisition of an individual’s first name or initial and last name in combination with one or more of the following data elements, when either the name or the data elements are unencrypted: social security number; driver’s license or state identification number; account, credit card or debit card number in combination with any required security or access codes; medical information; or health information. S.B. 46 not only expands the categories of information the disclosure of which may trigger the requirement for notification, it also—perhaps unintentionally—requires notification of unauthorized access to user credential information even if that information is encrypted. Thus, S.B. 46 significantly expands the circumstances in which notification may be required.

New Requirements for Disclosure of Tracking Practices

A.B. 370 amends the California Online Privacy Protection Act (CalOPPA) to require companies that collect personally identifiable information online to include information about how they respond to “do not track” signals, as well as other information about their collection and use of personally identifiable information. The newly required information includes:

  • How the company responds to “do not track” signals or other mechanisms that provide consumers the ability to exercise choice over the collection of personally identifiable information about their online activities over time and across third-party websites or online services, if the company collects such information; and
  • Whether third parties may collect personally identifiable information about a consumer’s online activities over time and across different websites when a consumer uses the company’s website.

These disclosures have to be included in a company’s privacy policy. In order to comply with the first requirement, companies may provide a clear and conspicuous hyperlink in their privacy policy to an online description of any program or protocol the company follows that offers the user that choice, including its effects.

It’s important to note that the application of CalOPPA is broad. It applies to any “operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service.” As it is difficult to do business online without attracting users in technologically sophisticated and demographically diverse California, these provisions will apply to most successful online businesses.

What to Do

In response to the passage of these new laws, companies should take the opportunity to examine their data privacy and security policies and practices to determine whether any updates are needed. Companies should review and, if necessary, revise their data security breach plans to account for the newly added triggering information as well as the new notification that may be used if that information is accessed. Companies who collect personally identifiable information online or through mobile applications should review their online tracking activities and their privacy policies to determine whether and what revisions are necessary. The California Attorney General interprets CalOPPA to apply to mobile applications that collect personally identifiable information, so companies that provide such mobile apps should remember to include those apps in their review and any update.

Article By:

 of

Cyber Security Summit – October 22-23, 2013

The National Law Review is pleased to bring you information about the upcoming Cyber Security Summit.

cyber security

When:

Where:

Will a New California Ballot Initiative Usher in the Next National Shift in Privacy Law?

Poyner Spruill

Just 10 years ago, California enacted the first breach notification law and unwittingly transformed the landscape of American privacy and data security law. To date, 45 other states, multiple federal agencies, and even local governments have followed suit. California residents may soon find themselves voting on a ballot initiative that could have an equally dramatic effect on this area of law.

computer broadcast world

The ballot initiative, known as the California Personal Privacy Initiative, is designed to remove barriers to privacy and data security lawsuits and also would promote stronger data security and an “opt-in” standard for the disclosure of personal information. Specifically, the initiative would amend the California Constitution to:

  1. Create a presumption that “personally identifying information” collected for a commercial or governmental purpose is confidential

  2. Require the person collecting such information to use all reasonably available means to protect it from unauthorized disclosure

  3. Create a presumption of harm to a person whenever her confidential personally identifying information has been disclosed without her authorization.

Notwithstanding the presumption of harm, the amendment would permit the disclosure of confidential personally identifying information without authorization “if there is a countervailing compelling interest to do so (such as public safety or protected non-commercial free speech) and there is no reasonable alternative for accomplishing such compelling interest.”

Turning first to the impact on litigation, plaintiffs have largely been unsuccessful in privacy and data security litigation because they have failed to show harm resulting from an alleged unlawful privacy practice or security breach. The obligation to show harm arises at two stages when a case is litigated in federal court: first, the plaintiff must establish that he has suffered an “injury in fact” in order to meet the requirements for Article III standing, and second, the plaintiff must satisfy the harm requirement that applies to the relevant cause of action (e.g., negligence). If the case is litigated in state court, the standing requirement does not apply, but most, if not all, privacy and data security breach class actions have been litigated in federal court.

The ballot initiative would create a presumption of harm that could allow more lawsuits to satisfy the injury-in-fact standard (step one, above) and the harm requirement for the underlying cause of action (step two, above). Without that barrier, business would be stripped of the most effective means of prevailing on a motion to dismiss for certain causes of action. And in some scenarios, business would be forced to rely on untested or tenuous defenses, making companies more likely to settle, rather than fight, previously unsustainable causes of action.

Other components of the initiative would exacerbate the uptick in litigation, including the presumption that personally identifying information collected for a commercial purpose is confidential and the requirement that organizations use reasonable measures to prevent unauthorized disclosure of that information. Plaintiffs’ claims are sometimes based on an allegation that promises made in the defendant’s privacy notice regarding security measures are deceptive. Currently, companies can protect themselves against these claims by making only conservative representations about privacy and security. But the ballot initiative could create a general duty to adopt reasonable privacy and security measures, raising the prospect that plaintiffs could more successfully pursue negligence-style claims, which companies cannot deter solely by adopting conservative privacy notices.

The initiative also employs a very broad definition of personally identifying information: “any information which can be used to distinguish or trace a natural person’s identity, including but not limited to financial and/or health information, which is linked or linkable to a specific natural person.” (The definition does not cover publicly available information lawfully made available to the public from government records.) This expansive definition would force organizations to apply stricter security to types of information that might not otherwise receive those protections. Furthermore, the definition is particularly problematic when considered in conjunction with the presumption of harm discussed above because identifiable data such as names, email addresses, and device identifiers are routinely shared by businesses without consent. If this initiative succeeds, the increased threat of litigation will incentivize businesses to default to an opt-in standard for disclosures of information.

There is, however, at least one reason to believe that the initiative may not be as detrimental to business interests as some are predicting. Showing a nominal harm for the underlying cause of action does not necessarily equate to an award of damages so, even if the ballot initiative is successful, there would in some cases remain a practical limitation on the plaintiff’s ability to recoup money damages. Where statutory damages are available, or where a plaintiff can show some actual monetary harm, money awards would be possible. But in cases where statutory damages are not available and a plaintiff must show actual monetary harm to procure a monetary award, the ballot initiative may not save such claims. For example, the damages award flowing from a negligence claim is generally based on the actual damages incurred by a plaintiff. Therefore, even if the plaintiff could state a cause of action for the purpose of defeating a motion to dismiss, the plaintiff may not be entitled to anything more than a nominal damages award if the plaintiff cannot demonstrate monetary damage such as the cost of credit monitoring, identity theft insurance, or perhaps even therapy bills. On the other hand, courts could interpret the amendment as requiring recognition of a new type of harm, similar to emotional distress, that is compensable through money damages—even without a showing of some concrete financial harm to the plaintiff.

The ballot initiative’s proponents must obtain 807,615 signatures before Californians would have the opportunity to vote on it. If the signatures are collected, then the initiative will appear on the ballot without further opportunity to seek amendments to address business concerns. If the initiative appears on the ballot, it would require only a simple majority vote to pass. Interested organizations should work to ensure that public debate over the initiative includes a discussion of the heavy burden on business that could result from the initiative.

 
 of

Cyber Security Summit – October 22-23, 2013

The National Law Review is pleased to bring you information about the upcoming Cyber Security Summit.

cyber security

When:

Where:

Cyber Security Summit – October 22-23, 2013

The National Law Review is pleased to bring you information about the upcoming Cyber Security Summit.

cyber security

When:

Where:

A Different Kind of Adobe Update: Adobe Announces Data Breach Compromising Information of 2.9 Million Customers

MintzLogo2010_Black

Adobe Systems Inc.,(ADBE -1.24%) announced earlier today that has been the victim of a cyber attack that has compromised information of 2.9 million of its customers.  In a blog post Thursday morning, Adobe’s Chief Security Officer Brad Arkin referred to such attacks as “one of the unfortunate realities of doing business today” and added that the attack on customer information is believed to be linked to an attack in which hackers obtained source code for certain Adobe products, including its Cold Fusion web application platform and its Acrobat family of products.

Adobe Systems Inc. reported what it called a sophisticated attack on its computer network, involving illegal access to both customer information and source code related its programs

The scope of the breach was first disclosed by security blogger, Brian Krebs in his blog, Krebs on Security.  The customer information accessed by the hackers includes names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders.  At this time Adobe does not believe that decrypted credit or debit card numbers were obtained.  Adobe has reset passwords for certain customers and will be notifying customers whose debit or credit card information is believed to have been accessed.  For those customers whose credit or debit card information has been accessed, Adobe will offer a complimentary one-year membership with a credit monitoring service.

This latest incident is a reminder that cyber attacks are not only an “unfortunate reality” of doing business, but are also increasingly common.  If your business collects customer or user information, there is no time like the present to make sure you have a response plan in place.

Read more:

New York Times – Adobe Announces Security Breach

PCWorld – Adobe Reports Massive Security Breach

Wall Street Journal — Hackers Hit Adobe Systems Network 

AllThingsD

Article By:

 of

Cyber Security Summit – October 22-23, 2013

The National Law Review is pleased to bring you information about the upcoming Cyber Security Summit.

cyber security

When:

Where:

White House Previews List of Incentives to Support Adoption of its Cybersecurity Framework

Bracewell & Giuliani Logo

As its latest step in a broader effort to prioritize cybersecurity, the White House released last week a list of possible incentives that may be offered to companies that own or operate critical infrastructure systems and assets to encourage adoption of a national Cybersecurity Framework, scheduled for release in February 2014. The list of possible incentives—which the Departments of Homeland Security, Commerce, and Treasury identified in response to a February 12, 2013 Executive Order—includes grants, liability limitation, public recognition, and cybersecurity investment rate recovery, among others. Some of the identified incentives could be created from existing federal agency authorities, while others would require legislative action from Congress. Over the next few months, agencies will seek input from critical infrastructure stakeholders in examining their preliminary lists and determining which to implement and how.

In the same February 12, 2013 Executive Order, the President directed the National Institute of Standards and Technology (NIST), an agency of the Department of Commerce, to lead the development of a national Cybersecurity Framework to reduce cyber risks to critical infrastructure. The President called for the Framework to include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks, and directed NIST to incorporate voluntary consensus standards and industry best practices to the fullest extent possible. NIST released a draft outline of the Framework on July 1, 2013, and a full draft of the Framework is scheduled for release in October.

Exactly how the Cybersecurity Framework will interact with or complement the North American Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards is unclear. The Cybersecurity Framework is intended to provide cross-sector security standards, while the NERC CIP standards were developed by, and for the use of, the electricity sub-sector. The Administration intends for NIST to consult its peers, as the President directed the Secretary of Homeland Security to “engage and consider the advice” of sector-specific and other relevant agencies. The Secretary must also identify areas for improvement that should be addressed through future collaboration with particular sectors and standards-developing organizations, which would presumably include NERC. Whether NERC has been consulted and how their input thus far has been considered is unclear.

In its draft outline of the Cybersecurity Framework, NIST indicates that the voluntary program is intended to complement rather than to conflict with current regulatory authorities, and the draft compendium, attached to the outline, includes reference to the NERC CIP Standards. In fact, NERC submitted comments in response to NIST’s February 26, 2013 Request for Information seeking input to help shape the draft Framework. However, the content of the Framework is still unknown, and until the draft is released in October, the exact relationship between the two sets of standards remains uncertain. In the meantime, as NERC stated in its comments to NIST, NERC feels strongly that a second set of potentially conflicting or redundant standards could create undue hardship on the electricity sub-sector. NERC also stated that, “while a framework of cybersecurity standards that is applicable to all sectors is possible, the framework may need flexibility to have certain common elements to be valuable or effective. Some sectors, such as the electricity sub-sector, are far more advanced in their cybersecurity efforts; other sectors may need time to meet minimum (voluntary) standards. The framework must build on existing standards and programs to develop a comprehensive approach to cybersecurity.”

As national-level cybersecurity efforts have progressed this year, so have NERC’s efforts to improve the CIP standards. NERC Reliability Standards are generally written as performance standards; that is, they prescribe a measurable end-state or goal, and attempt to remain technology- and method-neutral. However, utilities widely criticized earlier versions of the standards as being focused primarily on compliance documentation as opposed to security principles. With input from stakeholders, NERC significantly revised its CIP standards in Version 5, which were filed with FERC on January 31, 2013. Much of industry considers the revised CIP program to be an improved framework for critical asset cybersecurity protection, with a renewed risk-based focus on security. NERC stated that it stands ready to share its industry-driven approach with NIST as it endeavors to develop the Cybersecurity Framework.

Google, Yahoo, and Ad Networks Agrees to Set of Best Practices to Combat Online Piracy

Mintz Logo

The United States Intellectual Property Enforcement Coordinator Victoria Espinel recently blogged about a new effort to combat online piracy of intellectual property.  The broad-based effort attempts to leverage the participation of several large internet/publishing companies (GoogleYahooMicrosoft, AOL and Condé Nast), advertising networks (24/7 MediaAdtegrity) and the Interactive Advertising Bureau.  The parties have agreed to voluntarily adopt a set of best practices to remove advertising from websites that are primarily engaged in copyright piracy (movies, video games, music, books, etc.) or selling counterfeit goods.

In addition to efforts by companies to combat a similar problem using the Copyright Alert System, which we have previously covered, the current agreement takes aim at shutting down the profitability (and it is hoped, the major incentive) of these piracy websites to attenuate their proliferation.

The parties have agreed to implement these procedures and establish a system whereby a rights holder will send an initial informal complaint to one of the participating ad networks alleging that the website at issue is “principally dedicated to” engaging in copyright piracy and/or counterfeiting goods.  Further, the website must have no “substantially non-infringing uses.”  Upon receipt of a complaint, the ad networks will investigate and determine whether to take action, which can range from requesting the website cease from engaging in the alleged activity, to an embargo on advertisements placed by that ad network on the website until such time as the alleged violations are removed, or ultimately, removing the website from the ad network altogether.  While not required to, the ad network may also consider any evidence provided by the website owner that it is either not principally dedicated to counterfeiting or copyright piracy, or has substantial non-infringing uses.  Any such “counter notice” should include the content prescribed in the Digital Millennium Copyright Act (17 U.S.C. §512(g)(3)).  In addition, the participating ad networks will be certified by the Interactive Advertising Bureau’s Networks and Exchanges Quality Assurance Guidelines.

It is important to note that the burden to initiate the process is squarely on the rights holder, the guidelines explicitly noting that (i) there is no burden on the ad networks to police or actively monitor the websites on which their ads are placed; and (ii) by participating in this program, the ad networks do not prejudice their ability to maintain any “safe harbor” status they may otherwise be entitled to.

These best practices certainly have the critical mass to succeed.  The critical question, however, will be the quality of the analysis by the ad networks in response to allegations of piracy or counterfeiting, and the efficacy of this avenue of redress as perceived by the rights holders.  Regardless, this agreement, which may be refined going forward, is another step towards alleviating some of the pressure search engines have been under recently to take more proactive steps toward protecting intellectual property.

Article By:

 of